Analysis
-
max time kernel
16s -
max time network
147s -
platform
windows7_x64 -
resource
win7 -
submitted
25-10-2020 18:08
Static task
static1
Behavioral task
behavioral1
Sample
70c80253c09aacccddce335b5f3513b4.exe
Resource
win7
General
-
Target
70c80253c09aacccddce335b5f3513b4.exe
-
Size
2.3MB
-
MD5
70c80253c09aacccddce335b5f3513b4
-
SHA1
f0a87849b3e2306ce3688cb65fcab8ae74e1bba4
-
SHA256
6be2502f47fd78cdabd91d5d2aa199112cf22a4cb9302e3fca67c34ab0ff9d48
-
SHA512
85697ac775ed1d923413dacd57b35dcfb5ddf0ad391733c6972f5106dd3502a3537ee1591764003af1364da0863daff4742c1aadbecf988a7b30eb9784e4ec2c
Malware Config
Signatures
-
Echelon log file 1 IoCs
Detects a log file produced by Echelon.
Processes:
yara_rule echelon_log_file -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org 8 ip-api.com 10 api.ipify.org -
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
Processes:
70c80253c09aacccddce335b5f3513b4.exepid process 1492 70c80253c09aacccddce335b5f3513b4.exe 1492 70c80253c09aacccddce335b5f3513b4.exe 1492 70c80253c09aacccddce335b5f3513b4.exe 1492 70c80253c09aacccddce335b5f3513b4.exe 1492 70c80253c09aacccddce335b5f3513b4.exe 1492 70c80253c09aacccddce335b5f3513b4.exe 1492 70c80253c09aacccddce335b5f3513b4.exe 1492 70c80253c09aacccddce335b5f3513b4.exe 1492 70c80253c09aacccddce335b5f3513b4.exe 1492 70c80253c09aacccddce335b5f3513b4.exe 1492 70c80253c09aacccddce335b5f3513b4.exe 1492 70c80253c09aacccddce335b5f3513b4.exe 1492 70c80253c09aacccddce335b5f3513b4.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 620 1492 WerFault.exe 70c80253c09aacccddce335b5f3513b4.exe -
Processes:
70c80253c09aacccddce335b5f3513b4.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a11800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7 70c80253c09aacccddce335b5f3513b4.exe Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B 70c80253c09aacccddce335b5f3513b4.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
70c80253c09aacccddce335b5f3513b4.exeWerFault.exepid process 1492 70c80253c09aacccddce335b5f3513b4.exe 1492 70c80253c09aacccddce335b5f3513b4.exe 1492 70c80253c09aacccddce335b5f3513b4.exe 1492 70c80253c09aacccddce335b5f3513b4.exe 1492 70c80253c09aacccddce335b5f3513b4.exe 1492 70c80253c09aacccddce335b5f3513b4.exe 1492 70c80253c09aacccddce335b5f3513b4.exe 1492 70c80253c09aacccddce335b5f3513b4.exe 1492 70c80253c09aacccddce335b5f3513b4.exe 1492 70c80253c09aacccddce335b5f3513b4.exe 1492 70c80253c09aacccddce335b5f3513b4.exe 1492 70c80253c09aacccddce335b5f3513b4.exe 1492 70c80253c09aacccddce335b5f3513b4.exe 620 WerFault.exe 620 WerFault.exe 620 WerFault.exe 620 WerFault.exe 620 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
70c80253c09aacccddce335b5f3513b4.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1492 70c80253c09aacccddce335b5f3513b4.exe Token: SeDebugPrivilege 620 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
70c80253c09aacccddce335b5f3513b4.exedescription pid process target process PID 1492 wrote to memory of 620 1492 70c80253c09aacccddce335b5f3513b4.exe WerFault.exe PID 1492 wrote to memory of 620 1492 70c80253c09aacccddce335b5f3513b4.exe WerFault.exe PID 1492 wrote to memory of 620 1492 70c80253c09aacccddce335b5f3513b4.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\70c80253c09aacccddce335b5f3513b4.exe"C:\Users\Admin\AppData\Local\Temp\70c80253c09aacccddce335b5f3513b4.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1492 -s 28962⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/620-3-0x0000000000000000-mapping.dmp
-
memory/620-4-0x0000000001FB0000-0x0000000001FC1000-memory.dmpFilesize
68KB
-
memory/620-7-0x0000000002C70000-0x0000000002C81000-memory.dmpFilesize
68KB
-
memory/1492-0-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmpFilesize
9.9MB
-
memory/1492-1-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB